View Issue Details

IDProjectCategoryView StatusLast Update
0017434CentOS-7selinux-policypublic2020-08-06 14:23
Reportergwald Assigned To 
Status newResolutionopen 
Product Version7.8-2003 
Summary0017434: SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /run/libvirt/virtlockd-sock
DescriptionSELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /run/libvirt/virtlockd-sock.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that libvirtd should be allowed connectto access on the virtlockd-sock unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'libvirtd' --raw | audit2allow -M my-libvirtd
# semodule -i my-libvirtd.pp

Additional Information:
Source Context system_u:system_r:svirt_t:s0:c397,c1008
Target Context system_u:system_r:virtlogd_t:s0-s0:c0.c1023
Target Objects /run/libvirt/virtlockd-sock [ unix_stream_socket ]
Source libvirtd
Source Path /usr/sbin/libvirtd
Port <Unknown>
Source RPM Packages libvirt-daemon-4.5.0-33.el7_8.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-266.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name
Platform Linux
                              3.10.0-1127.8.2.el7.x86_64 #1 SMP Tue May 12
                              16:57:42 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-06-05 10:59:42 CEST
Last Seen 2020-06-05 10:59:42 CEST
Local ID 1fef31e2-d10d-4feb-93eb-1feddf85e0f7

Raw Audit Messages
type=AVC msg=audit(1591347582.859:23909): avc: denied { connectto } for pid=121435 comm="libvirtd" path="/run/libvirt/virtlockd-sock" scontext=system_u:system_r:svirt_t:s0:c397,c1008 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

type=SYSCALL msg=audit(1591347582.859:23909): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7f94e57b9f10 a2=6e a3=6b636f732d646b items=0 ppid=1 pid=121435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)

Hash: libvirtd,svirt_t,virtlogd_t,unix_stream_socket,connectto
Steps To Reproduce- Update to 7.8.2003
- call:
/usr/bin/virt-install --connect "qemu:///system" --wait 0 --noautoconsole --vnc --accelerate --name testvm --memory 2048 --vcpus 2 --os-variant rhel7.0 --network network:default --location http://cobbler01/cblr/links/CentOS-7-DVD-2003-x86_64 --extra-args="inst.text inst.ks.sendmac console=ttyS0,115200 rd.neednet=1 inst.ks=http://cobbler01/cblr/svc/op/ks/system/testvm" --disk "cache=none,path=/srv/kvm/images/testvm-disk0,size=30,format=raw"

Starting install...
Retrieving file vmlinuz... | 6.4 MB 00:00:00
Retrieving file initrd.img... | 53 MB 00:00:00
Allocating 'testvm-disk0' | 30 GB 00:00:00
ERROR internal error: Process exited prior to exec: libvirt: XML-RPC error : Failed to connect socket to '/var/run/libvirt/virtlockd-sock': Permission denied
Removing disk 'testvm-disk0' | 0 B 00:00:00
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start testvm
otherwise, please restart your installation.

- journalctl -t setroubleshoot | grep virtlockd-sock
- sealert -l <THE-UUID-YOU-SEE>
TagsNo tags attached.




2020-06-16 06:22

reporter   ~0037120

A "yum update", which brought "libvirt-4.5.0-33.el7_8.1" and "selinux-policy-*3.13.1-266.el7" solved the Problem


2020-06-17 04:47

reporter   ~0037133

Grrr - test was on the wrong machine :-((

Problem still exists:

#> cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)

#> yum list libvirt 'selinux*'
libvirt.x86_64 4.5.0-33.el7_8.1
selinux-policy.noarch 3.13.1-266.el7
selinux-policy-targeted.noarch 3.13.1-266.el7


2020-06-19 06:27

reporter   ~0037166

More investigation:

- Install CentOS 7.7
- Update to CentOS 7.8
- Aktivate lock_manager = "lockd" in "/etc/libvirt/qemu.conf"
- The above Error occurs

Without updating “selinux-policy” and “selinux-policy-targeted” from Version 3.13.1-252.el7_7.6 to 3.13.1-266.el7 it works


2020-06-19 06:31

reporter   ~0037167

In our case we also use NFS so we have:

#> getsebool virt_use_nfs
virt_use_nfs --> on

So our workaround is:
- Building the Module as suggested in the first report
  -> ausearch -c 'libvirtd' --raw | audit2allow -M libvirtd_fix
- PLUS building a Module from another "sealert -l <UUID>"
  -> ausearch -c 'virtlockd' --raw | audit2allow -M virtlockd_fix


2020-08-06 14:23

reporter   ~0037505

I could workaround the issue with the above instructions, thanks!

The problem seems to be that in 7.7 virtlockd was labeled virtd_exec_t, but in 7.8 it is labeled virtlogd_exec_t, which seems to be wrong.

This change was done in selinux-policy 3.13.1-253 for

But apparently upstream has a patch which introduces a specific virtlockd_exec_t label and related policy for libvirtlock:, but it does not seem to be integrated with the package in CentOS 7.8.

Note also that this problem is also reported upstream at

Issue History

Date Modified Username Field Change
2020-06-05 09:35 gwald New Issue
2020-06-16 06:22 gwald Note Added: 0037120
2020-06-17 04:47 gwald Note Added: 0037133
2020-06-19 06:27 gwald Note Added: 0037166
2020-06-19 06:31 gwald Note Added: 0037167
2020-08-06 14:23 diego.santacruz Note Added: 0037505